openconnect: updated to 8.10 to address CVE-2020-12823

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
2020-09-23 18:04:56 +02:00 · 2020-09-23 18:04:56 +02:00 · ac7f782850
commit ac7f782850
parent 3f0e266378
2 changed files with 31 additions and 9 deletions
--- a/net/openconnect/Makefile
+++ b/net/openconnect/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=openconnect
-PKG_VERSION:=8.09
+PKG_VERSION:=8.10
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/openconnect/
-PKG_HASH:=f39802be4c3a099b211ee4cc3318b3a9a195075deab0b4c1c5880c69340ce9a6
+PKG_HASH:=30e64c6eca4be47bbf1d61f53dc003c6621213738d4ea7a35e5cf1ac2de9bab1

 PKG_LICENSE:=LGPL-2.1-or-later
 PKG_LICENSE_FILES:=COPYING.LGPL
@ -42,13 +42,15 @@ define Package/openconnect
 endef

 define Package/openconnect/description
-	A VPN client compatible with Cisco's AnyConnect SSL VPN, ocserv and Juniper (Pulse secure).
+	A VPN client compatible with several SSL VPN implementations (ocserv, Cisco AnyConnect, Juniper, Palo Alto)

-        OpenConnect is a client that follows the Cisco's AnyConnect SSL VPN protocol,
-        which is supported by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800,
-        2800, 3800, 7200 Series and Cisco 7301 Routers, as well as the OpenConnect
-        VPN server. It has later been ported to support the Juniper SSL VPN which
-        is now known as Pulse Connect Secure.
+	OpenConnect is an SSL VPN client initially created to support Cisco's
+	AnyConnect SSL VPN. It has since been extended to support the Pulse Connect
+	Secure VPN (formerly known as Juniper Network Connect or Junos Pulse) and
+	the Palo Alto Networks GlobalProtect SSL VPN.
+
+	A corresponding OpenConnect VPN server implementation can be found in the
+	ocserv package.
 endef

 CONFIGURE_ARGS += \
--- a/net/openconnect/files/openconnect.sh
+++ b/net/openconnect/files/openconnect.sh
@ -15,6 +15,7 @@ proto_openconnect_init_config() {
 	proto_config_add_int "port"
 	proto_config_add_int "mtu"
 	proto_config_add_int "juniper"
+	proto_config_add_boolean "no_dtls"
 	proto_config_add_string "interface"
 	proto_config_add_string "username"
 	proto_config_add_string "serverhash"
@ -39,7 +40,25 @@ proto_openconnect_add_form_entry() {
 proto_openconnect_setup() {
 	local config="$1"

-	json_get_vars server port interface username serverhash authgroup usergroup password password2 token_mode token_secret token_script os csd_wrapper mtu juniper form_entry
+	json_get_vars \
+		authgroup \
+		csd_wrapper \
+		form_entry \
+		interface \
+		juniper \
+		mtu \
+		no_dtls \
+		os \
+		password \
+		password2 \
+		port \
+		server \
+		serverhash \
+		token_mode \
+		token_script \
+		token_secret \
+		usergroup \
+		username \

 	grep -q tun /proc/modules || insmod tun
 	ifname="vpn-$config"
@ -55,6 +74,7 @@ proto_openconnect_setup() {
 	[ -n "$port" ] && port=":$port"

 	append_args "$server$port" -i "$ifname" --non-inter --syslog --script /lib/netifd/vpnc-script
+	[ "$no_dtls" = 1 ] && append_args --no-dtls
 	[ -n "$mtu" ] && append_args --mtu "$mtu"

 	# migrate to standard config files